This week we have ten vendor disclosures for products from WAGO (3), IBM, Bosch, B&R Automation (2), Moxa, BD, and Philips.
WAGO Advisories
CERT-VDE published an advisory describing an improper authentication and authorization vulnerability in the WAGO 750-8XX series PLCs. The vulnerability was reported by Maxim Rupp. WAGO has new firmware versions that mitigate the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.
CERT-VDE published an advisory describing an improper authentication and access control vulnerability in the WAGO 750-36X and WAGO 750-8XX series PLCs. The vulnerability was reported by Maxim Rupp. WAGO has new firmware versions that mitigate the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.
CERT-VDE published an advisory describing an improper neutralization of input during web page generation vulnerability in the Web-UI for WAGO 750-88X and WAGO 750-89X series PLCs. This vulnerability was reported by Secuninja. WAGO has new firmware versions that mitigate the vulnerability. There is no indication that Secuninja has been provided an opportunity to verify the efficacy of the fix.
IBM Advisory
IBM published an advisory describing an authentication bypass vulnerability in their Maximo Asset Management product. The vulnerability is being self-reported. IBM has updates that mitigate the vulnerability.
Bosch Advisory
Bosch published an advisory describing three vulnerabilities in their PRAESIDEO Network Controller and the PRAESENSA System Controller products. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. Bosch has software updates for the supported products that mitigate the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Cross-site scripting - CVE-2020-6777,
• Cross-site request forgery - CVE-2020-6776,
and
• Nonce reuse attack - CVE-2020-15688
NOTE: The last is a third-party vulnerability (GoAhead web server).
B&R Advisories
B&R published an advisory describing four vulnerabilities in their GateManager product. These vulnerabilities were reported by NCCIC-ICS on July 28th as being for the Secomea GateManager.
B&R published an advisory describing six vulnerabilities in their SiteManager and GateManager procucts. These vulnerabilities were reported by NCCIC-ICS last Tuesday, but the B&R advisory was not available when I published my blog post. It is not clear if the Secomea versions of these products are also affected by these vulnerabilities.
Moxa Advisory
Moxa published an advisory describing a device information leak vulnerability in their EDR-810 Series Industrial Secure Routers. The vulnerability was reported by the National Security Agency (yep, that is what the advisory says). Moxa has provided generic workarounds to mitigate the vulnerability.
BD Advisory
BD published an advisory describing a remote code execution vulnerability (CVE-2020-1147) in a third-party component (Microsoft) of a long list of their products. BD is working on testing and validation of the Microsoft patch.
Philips Advisory
Philips published an
advisory describing a privilege elevation vulnerability (CVE-220-1472)
in a third-party component (Microsoft) of an undisclosed number of Philips
products. No mitigation information has been provided.
No comments:
Post a Comment